AshPolicyAuthorizer.Check behaviour (ash_policy_authorizer v0.16.5) View Source
A behaviour for declaring checks, which can be used to easily construct authorization rules.
If a check can be expressed simply as a function of the actor, or the context of the request,
see AshPolicyAuthorizer.SimpleCheck
for an easy way to write that check.
If a check can be expressed simply with a filter statement, see AshPolicyAuthorizer.FilterCheck
for an easy way to write that check.
Link to this section Summary
Callbacks
An optional callback, that allows the check to work with policies set to access_type :filter
An optional callback, hat allows the check to work with policies set to access_type :runtime
Describe the check in human readable format, given the options
Strict checks should be cheap, and should never result in external calls (like database or api)
The type fo the check
Link to this section Types
Specs
authorizer() :: AshPolicyAuthorizer.Authorizer.t()
Specs
check_type() :: :simple | :filter | :manual
Specs
options() :: Keyword.t()
Link to this section Callbacks
Specs
auto_filter(struct(), authorizer(), options()) :: Keyword.t()
An optional callback, that allows the check to work with policies set to access_type :filter
Return a keyword list filter that will be applied to the query being made, and will scope the results to match the rule
Specs
check(struct(), [Ash.Resource.record()], map(), options()) :: {:ok, [Ash.Resource.record()] | boolean()} | {:error, Ash.Error.t()}
An optional callback, hat allows the check to work with policies set to access_type :runtime
Takes a list of records, and returns {:ok, true}
if they are all authorized, or {:ok, list}
containing the list
of records that are authorized. You can also just return the whole list, {:ok, true}
is just a shortcut.
Can also return {:error, error}
if something goes wrong
Specs
Describe the check in human readable format, given the options
Specs
strict_check(struct(), authorizer(), options()) :: {:ok, boolean() | :unknown}
Strict checks should be cheap, and should never result in external calls (like database or api)
It should return {:ok, true}
if it can tell that the request is authorized, and {:ok, false}
if
it can tell that it is not. If unsure, it should return {:ok, :unknown}
Specs
type() :: check_type()
The type fo the check
:manual
checks must be written by hand as standard check modules
:filter
checks can use AshPolicyAuthorizer.FilterCheck
for simplicity
:simple
checks can use AshPolicyAuthorizer.SimpleCheck
for simplicity